Mahendra

Researcher fromBAE Systems Detica
#11003of 53,633
25Total CVSS
Vulnerabilities · 4
Medium
2
High
2
PT-2017-6329
7.5
2017-10-16
Fiyo · Fiyo Cms · CVE-2014-9148
**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.1.8 **Description** The issue allows remote attackers to bypass intended access restrictions. This can be achieved by executing specific functions, such as the "Install and Update" or Backup super administrator function, via the `view` parameter in a direct request to "fiyo/dapur". **Recommendations** For Fiyo CMS version 2.0.1.8, consider restricting access to the "fiyo/dapur" endpoint to minimize the risk of exploitation. Avoid using the `view` parameter in direct requests to this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.
PT-2014-3023
7.5
2014-12-27
Softaculous · Webuzo · CVE-2013-6041
**Name of the Vulnerable Software and Affected Versions** Softaculous Webuzo versions prior to 2.1.4 **Description** The issue allows remote attackers to execute arbitrary commands via shell metacharacters in a `SOFTCookies` `sid` cookie within a "login" action. This is related to the `index.php` file. **Recommendations** For versions prior to 2.1.4, update to version 2.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `index.php` file to minimize the risk of exploitation. Avoid using the `sid` cookie in the affected login action until the issue is resolved.
PT-2014-3024
5.0
2014-12-27
Softaculous · Webuzo · CVE-2013-6043
**Name of the Vulnerable Software and Affected Versions** Softaculous Webuzo versions prior to 2.1.4 **Description** The issue concerns the login function, which provides different error messages for invalid authentication attempts based on whether the user account exists. This allows remote attackers to enumerate usernames by sending a series of requests. **Recommendations** For versions prior to 2.1.4, update to version 2.1.4 or later to resolve the issue.
PT-2013-5900
5.0
2013-10-02
Spring Signage · Spring Signage Xibo · CVE-2013-5979
**Name of the Vulnerable Software and Affected Versions** Spring Signage Xibo versions 1.2.x through 1.2.2 Spring Signage Xibo versions 1.4.x through 1.4.1 **Description** The issue allows remote attackers to read arbitrary files. This is achieved by using a .. (dot dot) in the `p` parameter to the "index.php" endpoint. **Recommendations** For Spring Signage Xibo versions 1.2.x through 1.2.2, update to version 1.2.3 or later. For Spring Signage Xibo versions 1.4.x through 1.4.1, update to version 1.4.2 or later.